Three-Layer Stack
How WitnessOps separates operator contracts, execution runtime, and proof infrastructure.
The three-layer stack defines ownership boundaries so intent, execution, and proof are not collapsed into one trust surface.
1. Problem this page solves
When operator contracts, runtime execution, and proof production are mixed, reviewers cannot tell which layer owns which claim or failure.
This page separates those layers and defines how they connect.
2. What you should understand after reading
After this page, you should understand:
- what each layer owns
- where layer handoffs occur
- how trust and failure interpretation changes by layer
3. Mechanism-first layer model
| Layer | Owns | Does not own |
|---|---|---|
| Operator Contracts | intent routing, launch semantics, reporting contract | direct tool execution and proof signing |
| Execution Runtime | governed execution, policy gates, scope/approval enforcement, evidence capture | final proof authority |
| Proof Infrastructure | signing, continuity, bundle integrity, verification interfaces | security tool execution |
Layer handoff sequence
Operator Contracts define what should run
-> Execution Runtime executes under governance controls
-> Proof Infrastructure binds execution artifacts into proof continuity
-> verification consumers evaluate proof outputs
4. Observed vs inferred
| Layer | What is observed | What is inferred |
|---|---|---|
| Observed | Layer ownership boundaries, handoff sequence, control/proof responsibilities | None beyond declared model |
| Inferred | Auditability and review quality improve when boundaries are respected | Depends on implementation discipline and enforcement quality |
5. Trust assumptions
Layer separation improves clarity, but does not remove all trust:
- Execution Runtime still depends on runtime/tool integrity
- Proof Infrastructure still depends on key and trust-root integrity
- Operator Contracts still depend on truthful policy/intent inputs
A layer can be internally correct while another layer fails; this is why failure interpretation must stay layer-specific.
6. Next-page handoff
Next, read Security Practices to see how this layer model maps to current operational controls, limits, and trust posture.
Then use Governed Execution for step-level runtime mechanics.